• First introduced in Bologna, Italy in 1282
• Dandy Roll presses pattern into drying paper
– Changes thickness of paper fibers
– By paper makers to identify their product
– Security for stamps, official documents.
– Stock certificates, money, etc.
• Other “watermarks”
– Printing on plastic with a window.
(Australian $10 note)
J. Plank Features
• Pressed into paper •In-house watermark design
•Computerized design process
during paper-making •Quick-change sleeves and
• Wet pulp sprayed •High grade stainless steel construction
onto moving belt •Incorporates internal oscillating shower,
internal pan, internal steam shower and
• Dandy Roll external saveall pan
•Extended Header Brush for easy cleaning
pressed into pulp of shower pipe
• Dandy Roll looks
Laser Printed “Watermarks”
• Used on bond
paper, but who
– Doesn‟t work
well in inkjets
with most print
• Looks great
• You can even put it in
your PDF file…which
is the problem!
• No security
Printed Document Authentication
• Microprinting – Print that is too small to produce or copy
with conventional equipment
• Intaglio –engraved pattern used to press ink with great
force; raised letters
• Letterpress – Ink rolled raised type, leaving depression.
Used for printing numbers.
• Simultan press – precise registration of front and back.
(see-through register). Changing ink colors (rainbowing).
• Optically variable inks (change color depending on
• Metal foils & threads embedded in paper
• Security holograms
Lessons for paper authentication
• Security features should convey a message
relevant to the product.
– Use iridescent ink to print the banknote denomination
• Should obviously belong where they are
– They become “embedded in the user‟s cognitive
• Should be obvious
• Should not have competitors
• Should be standardized
Source: Security Engineering, Anderson
• Copyright Marks:
– Watermarks - Hidden copyright messages
– Fingerprints – Hidden serial numbers
– Hidden messages.
• Other applications:
– Closed captioning (hidden in first 21 scan lines)
– Audio RDS (Radio Data Service)-like service
• “What‟s that song?”
Watermarks for Copyright Policy
• “never copy”
• “copy only once”
• “copy only at low quality”
JPMG Linnartz, “The „Ticket‟ Concept for Copy Control
Based on Embedded Signaling” (Anderson  )
Suggests a hash-based implementation of “copy only
– X is the ticket
– Record h(h(X)) on DVD
– Provided with X, DVD recorded stores h(X) on second-
The Broadcast Flag
• “Advanced Television Systems Committee Flag”
– high-quality digital output
– Re-transmitting on an “unprotected” channel
• In the future:
– Disallow fast-forward through commercials
• Required on all digital TV cards sold after July 2005
• Only broadcast, not satellite or cable-transmitted.
“Losing Control of Your TV,” Technology Review, March 3, 2004
• A hidden message that can't be found by
• A hidden message that can't be found by
A hidden message that can be found by
an algorithm but not by a human.
• A hidden message that can be found by
some algorithms but not others.
What is Hidden?
Defining "Hidden" is not easy
– We run into the usual Goedel limits that prevents us
from being logical about detection.
– Humans are very different. Some
musicians have very, very good ears.
– Some algorithms leave statistical anomalies. The
message is often more random than the carrier
signal. These statistics can give away the message.
Who wants it?
• Evil doers. If evil messages can't be seen by good
people, evil will triumph. Osama bin Laden?
• Good doers. If the good guys can communicate in
secret, then good
will triumph. U.S. forces
• Content owners and copyright czars. Hidden messages
can carry information about rights to view, copy, share,
listen, understand, etc.
• Software Developers. "Hidden" channels can be added
to data structures without crashing previous versions.
Steganography can fight bit rot.
Models for Steganography
• Replace random number generators with the
– This works if the random numbers are used in a detectable way.
– TCP/IP, for instance, uses a random number for connections.
Some grab this for their own purposes.
• Replace noise with the message.
– Just replace the least-significant bit.
– Avoid the noise and tweak the salient features.
• Anything not affected by compression.
– If you have the freedom to change data without hurting the data,
then you have the freedom to include another message.
Models for Steganography
• Structured Models
– Run some compression algorithm in reverse
• If the compression models the data accurately, then running
it in reverse should spit out something that models the data
• Huffman algorithms give common letters short bit strings and
rare ones long ones.
– Change the structure or the order.
• GifEncoder, for instance, changes the order of the colors in
– Synthesize something new and use the data to guide
• Is the ghoul shooting at you in the game using a revolver or a
machine gun? That's one bit.
• The least significant bit of pixels or sound
files is very popular.
• Tweaking the LSB is only a small change.
Less than 1%.
• You can encrypt, too!
LSB modified to hide info
• Side Effects:
– The data may not have the same statistical
pattern as the least significant bits being
• Add a lot of noise, and it‟s obvious
4 LSB modified produces banding
More LSB Modification
8 out of 8 bits
All 8 bits
Bit 8 vs. Bit 1
• Information hiding at the bit level:
• Encoding information through list order:
“Hide and Seek: An
Figure 2. Embedded information in a
Introduction to Steganography”
JPEG. (a) The unmodified
IEEE Security & Privacy
original picture; (b) the picture with the first
chapter of The Hunting
of the Snark embedded in it.
• Robust mesh watermarking, Emil Praun,
Hugues Hoppe, Adam Finkelstein,
Proceedings of the 26th annual
conference on Computer graphics and
Issues to evaluate
– Payload carrying ability
• Securing information: Capacity is the wrong
paradigm, Ira S. Moskowitz, LiWu Chang,
Richard E. Newman ,
September 2002 Proceedings of the 2002
workshop on New security paradigms
Secure Digital Media Initiative
• SDMI (200+ companies) published an “Open
Letter to the Digital Community” with an SDMI
– Earn up to $10,000 for breaking their “watermarks”
– Challenge from September 15, 2000 – October 7,
• SDMI Systems:
– Designed to prevent “remixing” of privated CDs
– Designed to survive MP3 compression
SDMI & The Academics
• The Academics:
– Scott Craver, Patrick McGregor, Min Wu, Bede Liu,
(Dept. of Electrical Engineering, Princeton University)
– Adam Stubblefield, Ben Swartzlander, Dan S.
Wallach (Dept. of Computer Science, Rice University)
– Edward W. Felten (Dept. of Computer Science,
• What they did:
– Successfully removed the digital watermark from the
challenge audio samples.
• How did they know they did it?
– SDMI provided an “Oracle” that told them they did!
SDMI & Academics: Part 2
• Academics couldn‟t claim cash prize
– Doing so would have required signing a “confidentiality agreement” and
prohibit the academics from sharing results with the public
• DMCA didn‟t apply…
– … because SDMI specifically invited the work
• Felton &c decided to present their findings at the 4th International
Information Hiding Workshop April 25-29, 2001
• April 9, 2001 RIAA Senior VP for Business and Legal Affairs sent
Felton letter with veiled DMCA threats
• April 26, 2001 Felton declines to present paper
• May 3, 2001 – RIAA and SDMI say they never intended to sue
• June 6, 2001 – Felton files suit against RIAA asking for a
declaratory judgment that they would not be infringing
• November 28, 2001 – Case dismissed for mootness
• Leading provider of
• Plug-ins for Windows,
– Copyright ownership
– Image ID
– Image content – adult,
Tools and References
• Fabien a. p. penticolas
• Hiding Secrets with Steganography, by
• Defeat an embedded watermark by
chopping up image and serving it in pieces
<img SRC="kings_chapel_wmk1.jpg‟ BORDER="0‟ ALT="1/6‟ width="116‟ height="140">
<img SRC="kings_chapel_wmk2.jpg‟ BORDER="0‟ ALT="2/6‟ width="116‟ height="140">
<img SRC="kings_chapel_wmk3.jpg‟ BORDER="0‟ ALT="3/6‟ width="118‟ height="140">
<img SRC="kings_chapel_wmk4.jpg‟ BORDER="0‟ ALT="4/6‟ width="116‟ height="140">
<img SRC="kings_chapel_wmk5.jpg‟ BORDER="0‟ ALT="5/6‟ width="116‟ height="140">
<img SRC="kings_chapel_wmk6.jpg‟ BORDER="0‟ ALT="6/6‟ width="118‟ height="140">
• Some websites use mosaics to deter casual
• Hides information in MP3 files during the
• Takes advantage of the fact that MP3 provides
high-quality compression of 11:1
– Plenty of room for information hiding!
– Randomly chooses which parts of the Layer III inner
loop to modify; makes sure modifications don‟t
exceed threshold defined by the psycho acoustic
• “Weak but better than the MPEG copyright flag
defined in the standard”
• Defeat by decompressing & recompressing
MP3Stego in action
(More Wayner Work,
if we have time…)
• Instead of:
– INSERT INO purchases
values (“bob jones”, 55424, “36”, NOW())
– INSERT INTO purchases
values (MD5(“bob jones”, 55424, “36”,
TD‟s with Redundency
• INSERT INTO salaries2 VALUES (
MD5(“Fred Smith/1313 Mockingbird Lane/06-01-
MD5(“Fred Smith/1313 Mockingbird Lane/012-34-5678”),
MD5(“Fred Smith/1313 Mockingbird Lane/06-01-1960”),
MD5(“Fred Smith//06-01-1960/012-34-5678”), 60000, 5
nameHash1 nameHash2 Message
explaining to do
It‟s not my fault!
Inserting into multi-user table
• INSERT INTO bboard1
got some explaining to do.”)
• INSERT INTO bboard1
PT(”You‟ve got some explaining to do.”))